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everyone understan 



static HflCHINE_CONFIG_STflRT( tokio, bubl bobl_state ) 

/* basic machine hardware "/ 

MCFG_CPU_flDD("maincpu", Z88, MflIN_XTflL/4) // 6 MHz 
MCFG_CPU_PR0GRFIM_MFIP(tOki Ojnap) 

MCFG_CPU_VBLFINK_INT_DRIVER(" screen" , bubl bobl_state, i rq8_l i ne_hol d) 

MCFG_CPU_flDD("Slave", Z8B, HflIN_XTflL/4) // 6 MHz 
MCFG_CPU_PROGRAM_MflP(toki o_sl ave_map) 

MCFG_CPU_VBLflNK_INT_DRIVER(" screen" , bubl bobl_state, i rq8_l i ne_hol d) 

MCFG_CPU_flDD("audiOCpu" f Z88, MflIN_XTflL/6) // 3 MHz 
MCFG_CPU_PROGRflM_MflP(tokio_sound_map) 

MCFG_QUflNTUM_TIME(attOtiBe::frOB_hz(oeee)) 

MCFG_MflCHINE_STflRT_OVERRIDE(bublbobl_state, tokio) 
MCFG_MflCHINE_RESET_0VERRIDE(bublbObl_State, tokio) 

/* video hardware */ 
MCFG_SCREEN_FIDD(" screen" , RASTER) 

MCFG_SCREEN_RflU_PflRflMS(MflIN_XTflL/4, 384, 8, 256, 264, 16, 248) 
MCFG_SCREEN_UPDATE_DRIVER( bubl bob l_state, screen_update_bublbobl) 

MCFG_GFXDECODE( bubl bob 1 ) 
MCFG_PALETTE_LENGTH(256) 

/" sound hardware */ 
MCFG_SPEflKER_5TANDARD_M0N0("mono") 

MCFG_SOUNu_flDD("ynsnd", YM2283, MflIN_XTRL/6) 
MCFG_S0UND_C0NFIG(ym2283_COnfig) 
MCFG_S0UND_R0UTE(8, "mono", 8.88) 
MCFG_S0UND_R0UTE(1, "mono", 8.88) 
MCFG_S0UND_R0UTE(2, "mono", 8.88) 
MCFG_S0UND_R0UTE(3, "mono", 1.8) 
MflCHINE_CONFIG_END 

not everyone understands software 




This talk is about arcade games, 

the games where you put money to play. 

That money would go in the operator's pocket, 

no share to the arcade manufacturer. 

To be successful!, they had to be awesome. 

"Dedicated" (hardware, controls...) is the key tc 



iir success. 
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It's based on the first racing fame 
Nurburgring (1975) made of 28 PCBs. 






Berzerk was one of the first game with digitized speech. 
It cost 1000 USD / word to be digitized 
(it contained 16 words!)... 
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Battlezone, the first FPS, in 1980... 
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...was turned into a military traine 










Outrun (Sega 1986), awesome racing game! 
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Hard Drivin (1989), a 3d simulation way before modern GPUs existe 



FUEL 



IfYRUSS 



OLE F G 5 ! ! ! 0 



1 IL* 



lr KING Of KlirHTM 



aFn imh ur.tibn iti 



9 



TTTTTTTTn 



TAITO 817 B 

TC0030CMD ' 



■ 



C0PX-D2 
1992 RISE CORP. 
9248 E 




TAITO 



KAnECO 



IH3ia3EJ® japan 
Mermaid 

(DKANEKO 1988 
88201 I 



Beast 

©KANEKO 1988 
932009 




: With awesome piracy came awesome protections, 
once again, dedicated stuff, sometimes 
tightly integrated with the game internals 
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to store protected data, they went further: 

store data on battery-powered RAM. 

the battery dies, the game dies. 

the manual doesn't even mention it! 

the warranty is void if you open the game's cas 
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Super Street Fighter® II Turbo HD Remix 



Buy Download 



Download Price: $9.99 



Platform: PS3™ 



Genre: Fighting. Head-to-Head 
Fighting . 



Out Now 



| (Nintendo) WiiU 



Wii mini 



Nintendo 3DS 



Support 



Search 
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Virtual Console 



System Wii 

Release Date 1996 

No- of Players 2 players 

simultaneous 

Category Action 

Publisher D4 Enterprise 

Wii Points: 900 



ii (Jj^ Xbox One Xbox 360 Xbox Live 
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Sony 

Entertainment 
Network 



- Darkstalkers® Resurrection 

jj Capcom U.S.A., Inc. 
J|£- -rr'g^ PSN Game | Released Mar 12, 2013 | ★ ★*★* 636 Ratings 




$14.99 





(?) □ Imag«s (1 of 10) 
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Arcade games had to be awesome. They were often using dedicated parts, 
they were heavily pirated, they were heavily protected. 
So protected that it makes them vulnerable (to time)! 
Hacking is the only way to preserve them. 
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a final fight bootleg, adding extra characters to control. 
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...but it was defeated nonetheless: 
weak encryption+encrypted data made plaintext attack easy. 
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from Super SF2 (1993) 
to Hyper SF2 (2003) 
(how original !) 



7^ he Anniversary Edition 



here is the complete list of bootlegs, hacks, swaps... 
(absolutely NOTHING) 



A CPS2 is a sandwich of 2 PCBs 
(sometimes only 1 , sometimes 3) 
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the game PCB contains code+data+protection 
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what's in green is in clear, 
in red is encrypted. 
Code and Data are together 
Code is crypted, data isn't. 
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PROCESSOR 
STATUS 



MC6800 
PERIPHERAL 
CONTROL 



SYSTEM 
CONTROL 




ASYNCHRONOUS 

BUS 

CONTROL 



BUS 
ARBITRATION 
CONTROL 



INTERRUPT 
CONTROL 



Table 3-3. Function Code Outputs 



Function Code Output 


Address Space Type 


FC2 


FC1 


FCO 


Low 


Low 


Low 


{Undefined, Reserved! 


Low 


Low 


High 


User Data 


Low 


High 


Low 


User Program 


Low 


High 


High 


(Undefined, Reserved) 


High 


Low 


Low 


(Undefined, Reserved) 


High 


Lew 


High 


Supervisor Data 


High 


High 


Low 


Supervisor Program 


Hirj' 


High 


High 


CPU Space 



Table 6-2. Exception Vector Assignment 



Vectors Numbers 


Address 






Hex 


Decimal 


Dec 


Hex 


Space 6 


Assignment 


0 


0 


0 


ceo 


SP 


Reset: Initial SSP 2 


1 


1 


4 


004 


SP 


Reset: Initial PC 2 


2 


2 


8 


008 


SD 


Bus Error 


3 


3 

11 ICOO 1 IU 


12 
i iiuci a. 


OOC 


SD 


Address Error 



decryption is made on the fly, vector (0) requir es four words, unlike the other vectors which only 



during memory fetch 
read standard memory? as is 
read for execution? decrypt 



requiro two words, and is located in the supervisor program space. 



patch an opcode (unknown encryption) 
— ► black screen, game over, retry ? 



AWESOME 
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Capcom had a major competitor. 
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as a last effort, they backported a recent CPS2 game 
the first decrypted CPS2 port !!! 




ME 





to defeat a dragon, you need adventurers: 

Razoola, Charles MacDonald, Andreas Naive, Nicola Salmoria, David Haywood, and many others. 
(I worked with Razoola, and helped him on the PC side) 



ILLEGAL INSTRUCTION 

ADDRESS : 7A0A0000 
AC ADRS: 
R W 

MODE : 
FC : 



DO :FFFF4A44 D4:00A80158 A0:6FC42E65 A4:00FFB380 
D 1 : □□□□□□□4 D5 : OOOOFFFF A 1 : 00FF08 1 C A5 : OOOOOOOO 
32:00080000 D6 : OOOOOOOO A2:007082F0 A6 : FFFFAD80 
D3: 00000008 D7 : OOOOOOOO A3:00FFB19A A7:0000000A 

SSP : 00FF08 1 C 
SR:4A44 

+0 +2 +4 +6 +8 +A +C +E 
00FF8000 0010 0000 0002 0000 0002 0071 0000 0000 
00FF8010 0000 0000 0000 0000 5680 0000 0000 9000 
00FF8020 92C0 90C0 9100 9160 9140 0000 0000 01 DA 
00FF8030 OOOC 01B5 0006 OOOC OOOF 12C2 0000 0000 
00FF8040 0000 0000 003F 7000 807D 1234 0040 0010 
00FF8050 0000 0000 0000 0000 0000 0000 0000 0000 
00FF8060 E021 OFOC 0000 0000 0100 FFFF FFFF FFFF 
00FF8070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 



In November 1999, Razoola re-enabled SFZ's internal debugger (first working CPS2 patch !) 
— ► not blind anymore ! 



in spring 2000, he found that some specific memory ranges were not using encryption! 
why ? no reason - just a big facepalm ! 
— > shellcode execution for a split second. 




Mode 



Register Direct Addressing 

Data Register Direct 
Address Register Direct 



Absolute Data 

Absolute Short 
Absolute Long 



Addressing 



Program Counter Relative 
(Addressing 

Relative with Offset 

Relative with Index and Offset 



Register Indirect Addressing 

Register Indirect 
Postincrement Register Indirect 
Predecrement Register Indirect 
Register Indirect with Offset 
Indexed Register Indirect with Offset 



Immediate Data Addressing 

Immediate 

Quick Immediate 



when reading relatively to code (PC), 
memory fetches are actually decrypted ! 
Sega prevented that, but Capcom failed. 
—> first CPS2 decryption, word by word 



Generation 



EA=Dn 
EA=An 



EA = (Next Word) 

EA = (Next Two Words) 



EA = (PC)+d 16 
EA = (PC)+d 8 



EA = (An) 

EA = (An). An <- An+N 
An ♦ An-N, EA=(An) 
EA = (An)+d-|6 
EA = (An)+(Xn)+ds 



DATA = Next Word(s) 
Inherent Data 



EA = SR, USP, SSP, PC, 
VBR. SFC, DFC 



Syntax 



Dn 
An 



(xxx). W 
(xxx).L 



(di6.PC) 
(d 8 ,PCXn) 



(An) 
(An)4 

-(An) 

(di6-An) 

(ds.An.Xn) 



#<data> 



SR.USP.SSP.PC, 
VBR. SFC.DFC 



i n i b mgge la simnai iu am mbde described in 2.2.7 Address Register Indirect with Index 
(8-Bit Displacement) Mode, except the PC is the base register. The operand is in memory. 
The operand's address is the sum of the address in the PC, the sign-extended displacement 
integer in the extension word's lower eight bits, and the sized, scaled, a nd sign-extended 
index operand. The value in the PC is the address of the extension word. [This is a program] 
reference allowed only for reads. The user must include the displacement, the PC, and the 
index register when specifying this addressing mode. 
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so, in Summer 2000, I visited Raz, hoping we'd break the algo. 
but no success... 



rwr 
' 1 ' 



reset 



nop 
nop 
nop 

move.b 

nop 

nop 

nop 

nop 

nop 

nop 

nop 

move.b 
cmpi . 1 
lea 
bra 



"$89, $890930.1 



»$9, $899939.1 
"$5642194, D9 
($6, PC), fl4 
$d82 



1 Cd 


( %A PC\ A? 


1 ca 


( *A A? 










jrnp 




jrnp 


('Ad 1 


movea 


1 1 l u/ 


movca 


] u/ 
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"IT Otjul xjxjXj i DO 


move. i 




- II 1 p 1 . 1 


ttf^^dPi^d nA 

"*jO'tLl7 t »| OO 


move, i 




IIIU - r _ . 1 


lH ||'i+ (Mil 


or . I 


HA f A1 + 


or. i 


oo | ^ni / T 


move. i 
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move, i 
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DA i'AI ^+ 


Ol. 1 


riM i h i i + 
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move. i 
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move. 1 


(B0) + , (RI) 


or. 1 


DB, (M)+ 


or. 1 


D0, (fll)+ 


move. 1 


(Re)+, (Ri) 


move. 1 


(fie)+, (fii) 


or. 1 


D0, (fil) + 


or. 1 


D8, (fll)+ 


move. 1 


(fl8)+, (fll) 


move. 1 


(fi0) + , (fil) 


or. 1 


D8, (fll)+ 


or. 1 


D0, (Rl)+ 


move. 1 


(R8)+, (RI) 



in December 2000, Raz noticed that Capcom 
leaked the key to keep decryption alive, 
automated dump is now possible ! 
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we dumped by connecting the CPS2 to the joystick port of the PC. 
ugly, clumsy, slow, but worked ! 
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System reset 
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System reset 
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CPS-2 Encryption Scheme Broken 



Posted by Hemos on Sunday January 07, 2001 @1 0:44 AM 
from the more-roms-for-aJ dept 



Acheon writes: 



7 



The CPS-2 arcade board from Capcom uses some hard encryption 
scheme that has been a very hot issue in emulation for years Yet 
finally the code was broken Final Burn , a quite recent arcade emulator' 
showed concrete results by running previously unsupported games 
such as Street Fighter Zero using decrypted ROM images. The CPS-2 
Shock Team, who managed to reverse engineer the process for 
scratch, really outdone themselves and it is a very uncommon 
achievement." 



The/% Register 




the news didn't get it right, as usual. 
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CPS2 arcade encryption smashed 

Morality debate ensues 

By Lucy Sherriff • Get more from this author 

Posted in Business. 8th January 2001 19.44 GMT 

A group of gaming enthusiasts called the CPS-2 Shock Team claims to have broken the encryption on 
the CPS-2 arcade board from Capcom. 

While the algorithm itself has not been compromised, the group has managed to extract unencrypted 
data from the board using the 68k code on the hardware itself, according to a poster on SlashDot. 
Whether this actually constitutes a break of encryption is a subject under discussion at the 



NEOOEO HACKER by RaZooIi 



Joystick and button 1 



Memory viewer, 
c l DUno data. 
C 3 Ver i +v JUm>. 
C 3 MUeio PltVtr. 
C 3 Run Loaded Game. 



□Q MOT QISTRIBUTF THIS SQF TUftHF , 



Start PC so-Mrtare & n«ke sUre lead 

connected. : but Ion I to continue? 



Uco jovcI ick to okooco a ro9ion to 
dump- (button 1 to continue) 
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but with 'joystick dumping', that was defeated quickly :p 
(decryption done by Nicola Salmoria) 
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O^aK OOCO 0 4 2G 
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04?fi oona D426 



■ • -8c 

• • 'fir 



■ - - wr " ™ 

• . -2- -! 



NEOOEO bv RaZoo^a 

Use PC tool to create needed f i lea 
•for vpritv. [button 1 to continue) 
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verify- (button 1 to continue! 
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move. 

move.w 

move . w 

move.w 

move.w 

move.w 

move.w 

move.w 

cmpi ♦ 1 

lea 

bra 

move . w 
move.w 
move.w 
move.w 
move . w 



#$7000, $400000.1 
#$0, $8040a0.1 
#$807(1, $400002.1 
#$1234, $400004.1 
#$0, $400006.1 
#$40, $400008.1 
#$10, $40000a.l 



#$f00, $804040.1 

#$5642194, DO 

($6, PC) , A4; ($9d6) 

$e82 

#$ffc0, $80010c.l 
#$0, $80010e.l 
#$9000, $800100.1 
#$9080, $800102.1 
#$90c0, $800104.1 



video and sound registers had a different address on dead 
patching these addresses makes them work again ! 



move.w 

move . w 

move . w 

move . w 

move.w 

move.w 

move.w 

move.w 

cmpi . 1 

lea 
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#$7000, $fffff0.1 

#$0 , $80 4QaQ.l 
#$807d, $fffff2 
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#$0, $fffff6.1 
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#$0, $80010e.l 
#$9000, $800100.1 
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#$90c0, $800104.1 



workflow: decrypt code, merge with data, patch addresses... 
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Razoola made a universal test ROM, 
and 'no more battery' Phoenix versions. 
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this also made bootlegs possible. 

no more battery... 

from MegaMan to Gigaman :( 
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CPS2, 1994 





so now even the most obscure CPS2 games were preserved, 
but the encryption was still unknown. 

and it would take us 200 years to dump all possible values for one game 
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so we needed someone else to continue... 
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Charles MacDonald is an awesome hacker, with special weapons. 
Here, his PAL blackboxer. 

So, he took the CPS2 PAL, determine their internal configuration 
by blackboxing them, replace them with GALs. 
He now had controls over memory mapping ! 
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USB !!! 



to dump CPS2 directly via its expansion port, to USB !!! 
He could dump the 8 Gb set in 17h. ^4L : ' 

He did that for several games, but that wasn't enough to understand the algorithm. 



to understand 
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so someone else needed to continue to break the algo. 



that's where Nicola Salmoria and Andreas Naive helped, 
they're awesome to determine encryption algorithm, 
the algo was feistel based, and the key was 64 bits. 




so, from one european decrypted dump of a game, 
the key could be determined, 

which could then decrypt the rare japanese version of the game. 
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Last, Dave Haywood designed an attack to determine 
the key just from the ENCRYPTED dump of the game. 
So even the rarest CPS2 game was preserved ! 
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SUCCESS 



many people contributed, in various ways 




this is the Bubble Memory system 
it's very fragile. 
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to work, it needs to warm up to a certain temperature, 
to me, this big countdown says: 

'all these games are going to disappear if no one hacks or contribute for them' 
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Last Survivor, a System X game from 1989, 
was thought to be lost forever. 
Someone still had one in working conditions: 
it was preserved, 20 years later ! 



w 




CPSZShock 

http://www.cps2shock.com 

http://web.archive.org/web/7http://cps2shock.retrogames.cx)m 
Charles MacDonald 

http://cgfm2.emuviews.com/old2005.php 



Nicola Salmoria 

http://mamelife.blogspot.com/2006/01/8gb-2-is-still-4gb.html 
Andreas Naive 

http://andreasnaive.blogspot.com/2006_1 2_01 _archive.html 

Mane (CPS2 encryption source) 

https://github.com/mamedev/mame/blob/master/src/mame/machine/cps2crpt.c 



DarkSoft 

http://64darksoft.blogspot.com 
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SFA3 has a time lock: if you let it run long enough, 
some special modes are unlocked, 
the title background tells how many modes are unlocked 
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Hidden in the operator menu, 
Razoola found the crazy cheat codes 
in the disassembly to turn on this 
extras without waiting weeks. 
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:e for it... 
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USB-B 



Sega-USB Link wl. I 

<C) 2094-2011 Charles MacDanald 

httpi "cgfrr^.. emuvieus. com 
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Charles MacDonald also worked on Sega hardware and created his own devic 
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modem tools show how fighting games engine actually work 
damage areas change from one version to the other. 








attack behind you, or be hit for no reason... 
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